- From: Manu Sporny <msporny@digitalbazaar.com>
- Date: Mon, 09 May 2016 11:46:07 -0400
- To: public-webpayments-comments@w3.org
Forwarding comments that were intended to also go to this mailing list... -------- Forwarded Message -------- Subject: Re: Request for informal review of Verifiable Claims WG Charter Resent-Date: Tue, 26 Apr 2016 03:07:30 +0000 Resent-From: w3c-ac-forum@w3.org Date: Mon, 25 Apr 2016 23:07:02 -0400 From: Manu Sporny <msporny@digitalbazaar.com> To: w3c-ac-forum@w3.org On 04/01/2016 11:55 AM, Michael Champion wrote: >> Could you identify those de jure standards efforts so that we may >> differentiate this work from those efforts (if they are different) >> in the FAQ? > > From our security experts’ reading of the proposed charter, much of > the scope is covered by work in progress in another SDO. I believe > they are engaged mainly in JTC1 SC 27 > [http://www.iso.org/iso/iso_technical_committee?commid=45306, > https://en.wikipedia.org/wiki/ISO/IEC_JTC_1/SC_27] and the specific > efforts include: “ISO/IEC 29191 Requirements for partially > anonymous, partially unlinkable authentication”, “ISO/IEC 29003 > Identity proofing” “WG 5 Study Period on Privacy-preserving > attribute-based entity authentication”. Hi Michael, my apologies for taking so long to get back to you. We wanted to dig into your references to make sure there wasn't something we missed and it took a while to find someone that knew about these initiatives at ISO. The general feedback is "what they're doing is not really what you're doing", meaning - there is overlap, but it's complementary, not competing. I'll go through what we've learned so far: "ISO/IEC 29191 Requirements for partially anonymous, partially unlinkable authentication? This specification only specifies a framework and requirements for partially anonymous and partially unlinkable authentication. While this aspect of privacy is important to the Verifiable Claims work, it does not provide a technical solution with a RF licensing policy. The Verifiable Claims work would certainly take the framework and requirements into account, thus the work is complimentary. "ISO/IEC 29003 Identity proofing" There is no public information available about this work, you need to be a member of ISO. The Web Payments IG may be able to look more deeply into this work via their ISO liason status. That said, Identity Proofing, while important, has to do with the issuing of verifiable claims and not the work the Verifiable Claims WG would undertake (the data model and representation of the claims in a variety of syntaxes and existing attribute exchange protocols). One of the other goals of the work is to create a data model and expression format (for example in JSON, JSON-LD, and other formats) that is aligned with technology pilots for verifiable claims in the education and healthcare sectors. So, the Identity Proofing work is complementary, but definitely not what the Verifiable Claims group will be working on. "WG 5 Study Period on Privacy-preserving attribute-based entity authentication" I note that this is a study, not a technical specification. That said, there are many interesting aspects to this study that would be useful to the technical implementation of the Verifiable Claims work. Again, complementary, not competing. > Our experts also work in https://abc4trust.eu on how to represent > and verify claims with privacy preserving crypto, and I’m told this > is progressing well. That project seems to be focused on Microsoft’s U-Prove technologies and IBM’s IdentityMixer technologies. While these are neat technologies and have a place in the ecosystem, they are not the focus of the Verifiable Claims work (which is to express claims associated with an identifier in a way that can be used in existing and future-facing attribute exchange systems)... not just in Microsoft's U-Prove system or IBM's IdentityMixer system but also in OpenID Connect, SAML, and other market vertical specific attribute exchange systems (like proprietary digital healthcare systems). > Bottom line: The industry is not hurting from existing standards > activities in this space. There is no standards activity (that we know of) that is attempting to address the problem statement that we have identified. We have 31 organizations (out of 34 respondents so far) to this questionnaire that agree that the problem outlined in the charter has been properly identified, the goals are worth pursuing, and the charter that we have put forward is scoped properly (a number of these organizations have also stepped forward and said they'd most likely deploy the current technology proposal into production if it were to survive the W3C REC-track Process... and are running active pilots to kick the tires): https://docs.google.com/forms/d/1wS32QHfxeqVu32LyZt57fVjqnywdET2ytLcaHhVxbFY/viewform That is not to say that that we've done enough due diligence or that we should dig into the links you provided in more detail. I'm merely pointing out that either we're doing a bad job communicating some of these aspects, or perhaps we should have a more in-depth discussion with your security expert to understand the nuances a bit more. Would you be willing to connect the two of us for a more in-depth discussion? > Businesses and governments will have to deal with claims in many > different formats, and we are skeptical that W3C can get traction > with its own format / data model. The participants in the Verifiable Claims Task Force and the Credentials Community Group know of no claim format and/or protocol that addresses the problem statement identified by the group (and placed in the charter). >> If we added responses to these questions in the FAQ, would you be >> willing to re-review those responses? > > I suspect you have got a lot more work to do than just update the > FAQ to convince the AC that this community Yes, clearly. What I meant was "we have answers to some of these questions, if we updated the FAQ w/ those answers, would you be willing to re-review?" I think some of your questions assume that the work is new. It isn't. The work has been incubated for 2-3 years in various Community Groups at W3C. > - has identified a specific problem that a W3C Recommendation could > usefully address We have data showing 31 organizations saying that we have (so far, we're still waiting on responses from an additional 50+ organizations). We'll share this data w/ the W3C AC Forum when the questionnaire closes. > - has developed a concrete proposal that is a credible starting point > for a standard, We do have this, but are refining it. We were told that we shouldn't put this in the material that we send out because it might send the signal that we're insisting on a particular technology direction rather than making it an open conversation. You can find the experimental specification (some of which is implemented and being deployed in active pilots) here: http://opencreds.org/specs/source/identity-credentials/ Note that the proposal has bits about protocol and browsers, which we are not suggesting go into the Verifiable Claims Working Group. > - the proposal has interest / tentative support from a critical mass > of the companies who would need to implement and deploy something > like that spec if it is to be successful. We're gathering that list through the questionnaire now. Most of the implementers are education and healthcare companies right now. How many companies would you expect to see to hit a "critical mass"? > I’m not clear on what aspects of this work would need to be > implemented in browsers, No part of this work needs to be implemented by browsers. Here are my take aways from your input Michael: * We need to demonstrate that there is a technical proposal that we can use as a starting point and that the technical proposal has deployment in pilot projects already * We need to demonstrate that we do have the implementers at the table and that they can achieve critical mass. * We need to make it clear that we're not asking the browser vendors to implement anything * We need to make it clear that this work doesn't overlap with the projects your security expert identified Did I miss anything? -- manu -- Manu Sporny (skype: msporny, twitter: manusporny, G+: +Manu Sporny) Founder/CEO - Digital Bazaar, Inc. blog: Web Payments: The Architect, the Sage, and the Moral Voice https://manu.sporny.org/2015/payments-collaboration/
Received on Monday, 9 May 2016 15:48:46 UTC